Phishing is an attempt to steal important data like login details, passwords or credit card numbers from unsuspecting users. It is a major threat to today’s internet. According to the Microsoft Intelligence report, the phishing emails have increased by 250% in the year 2018. Most of the web browser comes with a certain defensive system in the form of blacklists and various other defensive measures to detect phishing attacks. It leads to devastating results. It includes the unauthorized purchases, the stealing of funds, or identity thefts.
Many web browsers hide the address bar. When the user scroll to expand the content of a webpage on the website, it makes the address bar invisible. It removes the strongest identifying indicator for that webpage. It makes the new way to phish users. Chrome is the most widely used internet and mobile browser on most devices. It is safe and developed and maintained by Google. Jim Fisher has found a new exploit called Inception Bar.
An Inception Bar: A new way to do phishing
For a common man, phishing is never fun. Hackers get excited and intrigued because it let them fetch much information. Hackers don’t know how much information may be fetched. For mobile users, any form of phishing must be avoided. A search giant has a new security feature, it tells the public how to distinguish between the real and fake websites. Still, there is some security issue. It allows fake web addresses to show on some website while being browsed from chrome on mobile. Officially it is known as the inception bar. It lets hackers deceive masking real website addresses by using fake URLs. It latter shows up instead of giving knowledge to the user that the site is not real because it has got a padlock icon.
Various websites may be secure and legit when there is an inception bar. It is a deception of the highest kind in the chrome mobile browser. It appears to be dynamic because it has got interactive content.
How does Inception bar work?
In chrome application for mobile, when the user scrolls down, the browser hides the URL bar. The URL bar is in the with the webpage. Users may feel the URL bar is associated with trustworthy browser UI. A phishing site uses it and poses a different website with a display of its own fake URL bar also called – the inception bar.
It is bad, and it gets worse. When people scroll up to the chrome display the true URL bar. But sometimes it is tricked. It never re-displays the true URL bar. Sometimes the entire content of the website is scrolled jailed with the element overflow: scroll. The user thinks it is scrolling the page but in reality; it is scrolling in scroll jail. It is like a dream in inception. The user believes to be in their own browser but there is another browser within their browser.
Some interesting details about the inception bar
It gets worse with the scroll jail. The user should be able to scroll at the top of the scroll jail. Once it is at the top, it will re-display the URL bar. It may be disabled. A very tall padding element is inserted at the top of the scroll hail. If the user tries to scroll in the badding, it is scrolled back down to the state of content. It is more or less like a page refresh.
To prove his concept, James Fisher took a screenshot of the chrome’s URL bar on the HSBC website. It is then inserted into the webpage. It is interesting to know with some more effort, the page will be able to detect the browser it is in and forge the inception bar to the browser. With some more effort inception bar could be made interactive. Even if the user doesn’t get fooled by the current page, the phisher may give another try after the user enters “Gmail.com” in the inception bar.
Is Inception Bar a real security flaw in Chrome?
James Fisher who created the inception bar found the use of accidentally. This technique is used to fool users who are less aware of it and who are less technically literate. Users will be able to verify the true URL on page load, before scrolling the page. After that User may not escape.
How users can safeguard from such type of attack?
It is still unknown. And it is a security flaw in chrome. But, what is the fix? There is a tradeoff, between maximizing the screen space and retaining the trusted space on the other. There would be a compromise for chrome to retain a small space and giving all screen space to the web.
How to check whether the address has tampered?
It is easy to detect whether the address bar tampers or not. Users may not easily leave the page without care for Chrome for Android’s address bar. It should be as easy as hitting the back button on the device, but various websites show it is easy to override the browser’s back button.
The best way to check whether the address bar is ‘tampered with’ – is to lock the mobile and unlock it again. It should force chrome for Android to show the real address bar and leave the fake. If the phishing method is developed further, it would make things more complicated. Someone just could use a form instead that accepts the input and make the icons behave more likely.
Few measures will make users safe from phishing
• Inception bar trickery is at work sometimes; users are able to see two different URL Bars Simultaneously. The real is above and the doctored one is below it.
• The inception bar generally displays incorrect numbers of tabs. Users must keep a check on the number of tabs. In different tabs, the anomaly may be spotted.
• Chrome has a dark mode. This great feature renders all the UI into black, so if unfortunately, the hacker has superimposed the fake URL bar, it will appear in white or some other color. It may be tested by switching back to normal mode for identifying a fake URL Bar. if an image is created against dark mode, the user may do vice versa.
• User may enable the reader mode or change background themes to spot any suspicious UI element.
New Features in Chrome
In recent developments in chrome, Chrome 74 is now rolling out to Apple IOS, google chrome, and Microsoft Windows desktop platform. It is available around the world. It comes with the dark mode to the Chrome user interface.
A new enhancement is available to the small community if windows users now. According to Google’s statement in an official blog post, the ‘chrome team’ is delighted to announce the promotion of Chrome 74 to the stable of various OS like Windows Mac and Linux. The old version will roll out in a few days or weeks. A new version of chrome i.e. chrome 74.0.3729.108 has a number of fixes and improvements.
Chrome will automatically protect the user from security issues like phishing and dangerous sites. If the user wishes to download chrome for windows, the user may check the new version with a dark mode for the chrome UI.
How to become protected from phishing?
Two-factor authentication is the most effective method for avoiding phishing attacks. It gives an extra verification way while logging in to sensitive applications. 2FA relies on users having two things. Users may know such as password and username, and something they have like smart smartphones when employees are compromised, 2FA prevents from being their credentials being misused.
In addition to the use of 2FA, various organizations should enforce password management ways. Employees must change their password frequently so it should not be allowed to reuse the same password for multiple applications.
Educational campaigns may help to diminish the threat of phishing attacks by enforcing secure practices such as not clicking the external links.
Google Safe Browsing
It is the technology that examines the billions of URLs per day to look for unsafe websites. Every day Google discovers many new unsafe websites. Most of the websites are legitimate and compromised. When Google detects unsafe websites, it shows warnings on google search and in web browsers. Users may search to see whether a website is dangerous to visit.
Phishing may violate user’s privacy. It may lead to unavoidable consequences like stealing of data and personal information and sometimes money from banks. The inception bar is an interesting way to phish someone. A few months back, the same kind of hack happened with a cryptocurrency firm Binance. The URL was off and it was “binanceweb.com” instead of binance.com. With no warning to check the URL.
Likewise, many phishing attacks are there. Users should be careful while surfing on the internet. Users may not know when their information might be compromised or hacked. It is always better to avoid giving information online to any website or email. The same way the inception bar is also dangerous for users. Users need to be careful with the URL bar and website address.
Phishing is just one kind of attempt that tries to breach the security of any individual. Other than these are other kinds of emerging threats as well, that pose an equal danger. If you want to learn how to protect yourself against these threats in detail, try the “CompTIA Cybersecurity Analyst CySA+ (CSA+). The Total Course” online tutorial that is taught by a former army intelligence personnel. With 7 hours of video, it covers more than 50 lectures, explaining all the terminologies and many advanced concepts.
And if you are looking for something more related to any common individual protecting their system from foreign attacks, you can try the “Cyber Security For Normal People: Protect Yourself Online” course which offers 1.5 hours of video with 35 lectures.